18 Jan 2014

Whitelisting CloudFlare in Nginx

I recently moved from Apache2 to Nginx as my web server of choice because of its low memory footprint so I can run it on a very small Digital Ocean Droplet (thats a referral link, here’s a direct link https://www.digitalocean.com)

CloudFlare is a Content Delivery Network (CDN) provider and has a free tier, which is great to protect my lttle droplet. And to protect it even more you can white list CloudFlares IP’s.

To do this, create a file that allows all of CloudFlare’s IPs. You can then include it into your nginx config. If you have multiple sites you can include them in each or globally or per site.

Create /etc/nginx/cloudflare-allow.conf

# https://www.cloudflare.com/ips
# IPv4
allow 199.27.128.0/21;
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;

# IPv6
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;

Then in your sites-available/site.com add:

server {
  listen 80; ## listen for ipv4; this line is default and implied
  listen [::]:80 default ipv6only=on; ## listen for ipv6

  include /etc/nginx/cloudflare-allow.conf;
  deny all;

  server_name direct.site.com www.site.com site.com;

  #...the rest of your config here...
}

Thats it, now when access the page via your direct hostname, it will give a 403 Forbidden. Note this is still a hit to origin and nginx will process it. I did this approach as I have some other hosts not in front of CloudFlare.

Alternatively you can use iptables to drop all packets not from CloudFlare https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-

Links:

More info on ngx_http_access_modlue which provides the allow/deny: http://nginx.org/en/docs/http/ngx_http_access_module.html

Setting up virtual hosts in nginx: https://www.digitalocean.com/community/articles/how-to-set-up-nginx-virtual-hosts-server-blocks-on-ubuntu-12-04-lts--3

Want to contribute to this article? Edit this post on Github!